Report: NASA Vulnerable To Crippling Cyber Attacks

By IBT Staff Reporter On 03/29/11 AT 12:28 PM

The computer network NASA relies upon to carry out its billion dollar missions is just like your Mac or PC at home; vulnerable to cyber attacks.

NASA's servers contain vulnerabilities that could enable a cyberattack to cripple the entire agency, according to a recent audit report from The Office of the Inspector General. The report was an unflattering look at NASA's internal computer security operations, as the Inspector General recommended the agency expedite the implementation of a new agency-wide program to oversee the network security problem.

We found that computer servers on NASA's agency-wide mission network had high-risk vulnerabilities that were exploitable from the Internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable, said Inspector General Paul K. Martin, in the report.

According to Martin, the six servers were associated with IT projects that control spacecraft or critical NASA data. The NASA computer network is comprised of 190 IT systems, all vulnerable if a cybcercriminal got past one entry point.

Moreover, once inside the Agency-wide mission the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA's operations, Martin said.

The Inspector General's office said it used Nmap, a software program that can discover what IT assets are accessible from the internet. It identified eight projects, two of which had been decommissioned before the report was finished, that had vulnerabilities. It then interviewed NASA personnel for each project to assess the level of preparedness. The report found the agency's prepardness was insufficient.

It cited a 2009 incident in which cybercriminals identified a network-supporting computer and infected it. The infection caused the computer system to make 3,000 unauthorized connections to domestic and international IP addresses. In another attack pointed out in the report, cybercriminals stole 22 gigabytes of export-restricted data from a NASA Jet Propulsion Laboratory system.

NASA sent a response concurring with a lot of the recommendations set forth by the Inspector General's office.The NASA CIO will work with the Mission Directorates and Centers to develop a comprehensive approach to ensure Internet-accessible computers on NASA's mission networks are routinely identified, vulnerabilities are continually evaluated, and risks are promptly mitigated, Linda Y. Cureton, director of Information Technology at NASA, said in a letter to the Inspector General's Office.

Cureton also wrote that the agency agrees with the Inspector General's Office of the need to conduct an agency-wide security risk assessment. It said is already developing tools to do this and plans on conducting a pilot assessment in August of this year. The Insprector General's Office accepted NASA's response.